DNS flaw makes state-level espionage as easy as registering a domain

A new Domain Name System (DNS) attack method involving registering domains with specific names could be used for what researchers describe as “state-level espionage.”

Wiz CTOs Ami Luttwak and Shir Tamari unveiled at last week’s Black Hat cybersecurity conference in Las Vegas a new class of vulnerabilities they discovered that expose valuable information from millions of endpoints around the world Dynamic DNS data. DNS (Domain Name Service), one of the foundations of the Internet, is an extremely complex and decentralized system whose core is the translation of readable domain names into numerical IP addresses.

Black Hat has a proud tradition of DNS research, most famously in 2008 when the late great Dan Kaminsky prevented internet doomsday by exposing some of the internet’s fundamental flaws. In general, DNS has become more secure since then. Still, DNS vulnerabilities are often critical because they put billions of devices around the world at risk.

Today, the rise of managed DNS providers (such as Amazon Route53, Google Cloud DNS, Akamai, etc.) and the ubiquity of remote work are stretching and tearing apart new ones in this decades-old protocol structure designed for the world. Vulnerable employees and servers are both “local”.

What traffic do we receive?

They discovered this attack method while analyzing Amazon Route 53, a cloud DNS web service provided to AWS users. Route 53 provides about 2000 DNS servers with names like ns-852.awsdns-42.net. Wiz researchers found that registering a domain with such a name and adding it to a DNS server with the same name in Route 53 had some interesting results if they linked the domain to the IP address of a server they controlled.

“Whenever a DNS client queries this name server for information about itself (thousands of devices automatically update their IP addresses in their hosted networks), traffic is sent directly to our IP address,” the researchers explained. A blog post published after Black Hat’s presentation said.

They claim to have received DNS traffic from more than 15,000 organizations, including Fortune 500 companies, 45 U.S. government agencies, and 85 government agencies from other countries. The intercepted data included internal and external IP addresses, computer names, usernames and office locations.

This data is included in dynamic DNS traffic from Windows devices. According to the researchers, the issue is related to the algorithm used to find and update the primary DNS server when a Windows device’s IP address changes.

Why are we getting such traffic?

The short answer is that Microsoft machines use a unique algorithm to find and update the primary DNS server when the IP address changes. Eventually the algorithm will query the hijacked nameserver for its own address. result? Since we had directed this server to our malicious IP address, we started receiving all query traffic.

To better understand this, imagine a Wiz employee decides to work from home—as most of us have been lately—and connect to their home WiFi. Their work laptop gets an internal IP address from their home router and will try to find the company’s local master server to update it with this new address.

Eventually, the endpoint will try to update the master server, an AWS shared server that manages thousands of customers. AWS nameservers do not support dynamic DNS updates, so update requests will fail.

So far the Microsoft algorithm works exactly as expected, at which point it should stop and give up on updating the master. But that’s not the case – that’s where the problem arises. Instead of giving up, Microsoft tried another way to find the primary DNS server. The next step is to check the Wiz’s name servers for a record of the master server.

AWS’s nameservers responded with the IP address we provided, in this case 1.3.3.7. This is where Windows endpoints send dynamic updates…inadvertently leaking their internal IP addresses, computer names, and other information to our malicious DNS servers.

How to use this data?

“[泄露的流量]Give anyone a bird’s-eye view of what’s going on inside companies and governments. We liken it to having nation-state-level espionage capabilities — and getting it is as easy as registering a domain,” the researchers said.

To demonstrate the potential impact of such an attack, they used the collected data to map the locations of employees at a large service company based on traffic received from more than 40,000 computers.

They claim that this location mapping also allowed them to determine that a large commodities trading company and subsidiaries of a large credit union apparently had employees in countries subject to U.S. sanctions, which would violate those sanctions.

Who is responsible for solving the problem?

After learning of the issue, Amazon and Google implemented fixes, but Wiz believes other DNS providers may also have vulnerabilities, meaning such attacks could still happen.

Microsoft was also notified, but the tech giant said it was a “known misconfiguration that occurs when organizations use external DNS resolvers” rather than a vulnerability.

While service providers can take steps to prevent such incidents, organizations can prevent such data leaks by ensuring DNS resolvers are properly configured to prevent dynamic DNS updates from leaving the internal network, Wiz said.